[Snort-users] Experimental Shellcode ?

Render-Vue sales at ...4295...
Tue Feb 19 14:12:02 EST 2002


Hi Yah Chris,

Thanks for the fast and eductaional reply :)

Much appreciated

Regards from Auckland

Chae

At 10:54 AM 2/20/02, you wrote:
>Render-Vue <sales at ...4295...> writes:
>
> > Hi Yah,
> >
> > Noticed this one from version 1.8.3 logs
> >
> > EXPERIMENTAL SHELLCODE x86 NOOP
> > 2 209.52.171.15 -> xxx.xxx.64.121
> >
> > I've done a search on google etc but can't find an explaination. Can
> > anyone enlighten me please
>
>
>A NOOP is a computer instruction to do nothing.   They are often used
>to pad buffer overflow exploits so typically you would look at the
>full packet data and find the context of the packet and find out if it
>was something against something neat like a rpc service or something
>mundane like the middle of an MP3.
>
>The rule that set it off looks like:
>
>alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL
>SHELLCODE x86 NOOP"; content:"|61 61 61 61 61 61 61 61 61 61 61 61 61
>61 61 61 61 61 61 61 61|"; classtype:shellcode-detect; sid:1394;
>rev:1;)
>--
>Chris Green <cmg at ...671...>
>A good pun is its own reword.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Render-Vue - <http://render-vue.com>
Web Site Hosting - Web Site Design
"Letting the world see who you really are(tm)"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Auckland,
New Zealand. 1705
Tel:- +64 9 536 6367
Mobile:- 025 291 6894





More information about the Snort-users mailing list